
Do not read codes but patch binary.

Simple overwriting of GOT

GOT overwriting is a good starting point for making sense of what is all about "relocation". Relocation can be done in two phases; statically or dynamically. Here, I will mention about dynamic relocation.

When you call a function whatever defined on a shared object dynamically, you must set where the instruction pointer heads for to call it. To reach out the point, it needs to be hopped on at least 2 section headers mapped separately on a different program header when you relocate it.

First step is on .plt (procedure linkage table) section which will be usually mapped on so called "text segment" with .text section by libc so.

Second step is on .got(global offset table) section which is distinctly mapped on "data segment" considering a memory gap starting from the first mapping which is set as virtual address offset of second program header.

But note that dynamic linker will not jump on the address where global offset table sits. Procedure linkage table will indicate where the next instruction should come referring to the value of global offset table not the address of global offset table itself on data segment.

What the dynamic loader relocates means is simply rewriting a sequence of bytes on GOT which denotes a memory address. It addresses next instruction of .plt before the relocation so that relocation itself can be optional for a loader. When it is not set, instruction pointer will be set to the next instruction as it often does, and go to the next jump which are the head of global offset table. If you set the value.

Why does it need to be optional? Consider a situation where you loaded a shared library which depends on many functions on other libraries with heavy dependencies, but you won't make use of most of them. For example, if you include a header which was defined on, it refers many functions on; a function on std::Thread class might depend on pthread_create(4) on In that case, it is just in vain if you do not call std::Thread on main program to connect std::Thread on with pthread_create on Loading relocation cost can be postponed in that situation till the actual function call. One example about this is one of the flag;RT_LAZY which can be set as 2nd argument of dlopen(2), which will save computational cost of loading phase.

Coming back to the functionality which is provided by PLT & GOT, you can easily hook a function which bridges to another shared object by rewriting (re(relocating)) address on GOT unless it is set lazily.

First, you get the address of PLT, then go to GOT where you modify the value to wherever you want to jump on instead. Note that when you have GNU_RELRO on program header, it contains the head & tail of post-filled-in address including .got, and set read only mode after relocation is done. But, if something is filled at first by dynamic loader, the memory protection can be gained permission to write calling again mprotect(,PROT_WRITE).

Here is the short snippet of the code to do that.

#include <stdio.h>
#include <sys/mman.h>

// This is a simple example to hook puts() defined on
// on Global offset table and covert to function f2() defined on this file.

// what this does is as follows.
// 1st, find procedure linkage table(PLT) of puts examining part of text area.
// 2nd, get the pointer of PLT and get the offset of GOT.
// 3rd, get the pointer of global offset table(GOT).
// 4th, rewrite it!
// 5th, test if the hooking is worked out.

// basically this scheme should work out in any 

void f1() {
  // when you call put function,
  // instruction pointer which will be jumped from them will tell you
  // where is PLT.

void f2(){
  const char str[] = "world!";
  // default gcc might convert printf(string\n)
  // to puts. be careful as puts had been converted to f2 itself.
  printf("%s \n",str);

int main() {
  unsigned char* begin = (unsigned char*)&f1;
  unsigned char* end = (unsigned char*)&f2;
  for (;begin!=end;begin++) {
    // assume call instruction is represented as
    // 0xe8 + 4byte(%rip).
    if (*begin == 0xe8) {
      // cast the pointer so you can grab 4 bytes to get offset operand.
      unsigned int* offset1 = (unsigned int*)(begin+1);
      // calculate address of PLT e.g. in assembly asm ( "lea offset(%rip), %rax" ;)
      size_t* tmp_plt_addr = (size_t*) ((size_t)(begin+5)+(long int)(*offset1));      

      // address calculation towards negative side is a bit tricky.
      // you just need to pass the beggining 3byte of original one as previous subtraction altered it,
      unsigned short* plt_addr = (((size_t)tmp_plt_addr)&0x000000ffffff) | (size_t)(begin+4) & 0xffffff000000;
      // below might work out alternatively.
      /* size_t* plt_addr = (size_t*) ((size_t)(begin+5)+(long int)(*ptr_) - 0x100000000) ; */
      // after you come to plt, what waits you is not another call, but jump.
      // And the jump is not ordinary jump but jump to the address which was set on GOT.
      // it starts from 0xff,0xx25,4byte(%rip)
      // first 0xff is opcode, the second is determining addressing.
      // what you need to hold is last 4 byte which is offset from current %rip to GOT.

      // since the type is short one step means 2byte forwards.
      // get the offset which is 4 byte.
      unsigned int* offset = (unsigned int*)plt_addr;
      // proceed another 2*2(4byte) to reach %rip.
      // calculate GOT of this function.
      // it does not hold any instruction but only 8byte address.
      size_t* got_addr = (size_t*)((size_t)plt_addr + (unsigned int)*offset);

      // if there is a GNU_RELRO on program headers,
      // it might be the case that libc protected the part of data segment as read only
      // after loader relocated them.
      // you can reask kernel the mapping can be writable.
      // finally rewrite it to whatever you like to jump.
      *got_addr = (size_t)f2;      

  // When you call puts after got overwriting,
  // f2 will be instead called.
  // make sure you get "world!" not "hello!"

That is simple enough to contain essence of relocation. But, if you want to reach comprehensive understanding, I will recommend you to read musl( carefully.

Copying instruction area & executing it on the fly

Calling a function means setting one of the registers onto which the instructions for the function are stayed.

Even when you call it at multiple times, the memory you access will never be changed by contrast with the allocation of the footprint of the computation (which is called often stack or heap).

We often pay too much attention to the memory where the actual computation is done because they are always so dynamic that you need to keep track of all the stuffs which had been done, which is ongoing, and which are going to be performed, especially you allocated something on memory outside of stack area.

But, these dynamic computation; jump, allocation and deallocation, is just governed by another special area which is often called code area, and they are mapped onto somewhere on virtual memory in a same manner that other areas are allocated. The each role that code area and execution area is in charge of seems to be distinct by nature. One is statically telling CPU what is done next and another is engaging on it's embodiment or performance. Of course, since the performance is influenced from running environment which is varying constantly such as external file which will be opened, sets of runtime arguments, or environment variables, the patterns of accessing the memory of code area will get some feedbacks from it which we often call it branching. Nevertheless, it's nature is distinctly split as one is statically recognised by CPU, another is dynamically following it.

Self-modifying code is something which are different from the perspective we saw above. Codes can be constructed on its running time and executed on the spot which makes us think computation as much more colourful and flexible as it was thought.

Today, I will introduce a piece of very concise code which are copied from text area on the fly to wherever you like and executed.

when you write a function,

int f1(){
   return 1;

They are translated to binary and sit onto a chunk of memory in a pretty obedient manner. The memory where the binary sits is not user-defined but instead mapped by kernel and kept tracked by as a chain of dynamic shared objects which is hidden on libc. What you are able to know is just the head of it,


then, you will see the starting address.

if you want to know what was pasted as binary figure on this function, then you should define another function just under the function(how each functions are aligned depends on compiler..), and examine the data in between.

int f1(){
   return 1;

void f2(){}

char* start = &f1;
char* end = &f2;
for(;start != &end;start++)

When kernel maps these instructions, you are often not allowed to write your arbitrary data to the memory.

*start = 1;

Instead, you can make executable mapping, pasting them and can run on it eventually.

char* ret = (char*) mmap( (void*)0, 4096*1, PROT_READ|PROT_WRITE|PROT_EXEC,
                                              MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, -1, 0);

memcpy(ret, ptr, len_f1);
int (*_f1)() = (int (*)())(ptr);

I allocated executable memory on the very beginning of virtual memory as libc often allocates program to higher memory.

Of course, you can modify its binary as you love.

This is just the very trivial example of self-modification code but somewhat may blow your mind, that was my intention of this writing.

Entire code snippet is here.

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/mman.h>

// binary(instruction) which are mapped.
// 0x55(push esp)
// 0x48,0x89,0xe5(mov %esp %eip)
// 0xb8,0x01,0x00,0x00,0x00(mov:immidiate assignment to %eax)
// 0x5d(leave)
// 0xc3(ret)
// this binary is mapped on to a mapped memory.
// if you modify any of them, it will change its behavior.
int f1() {
  return 1;

// binary(instruction) which are mapped.
// 0x55(push esp)
// 0x48,0x89,0xe5
// 0x89,0x7d,0xfc(first argument handling)
// 0x89,0x75,0xf8,0x8b(second argument handling)
// 0x55(push esp)
// 0xfc,0x8b(add %eax)
// 0x45(pop)
// 0xf8,0x01,0xd0(mov)
// 0x5d(leave)
// 0xc3(ret)
int f2(int a, int b) {
  return a+b;

// main has lots of binary.
int main(int argc, char **argv, char **envp) {

  for (;*envp;envp++) {
    if (*envp == "DONE")

  char* ptr;
  // grab a head address of area where instruction code is packed.
  ptr = (char*)&f1;
  // allocate a memory where you can execute and not yet mapped.
  // MAP_FIXED is not necessary according to your OS unless you map
  // ever-mapped & (m)protected area.
  char* ret = (char*) mmap( (void*)0, 4096*1, PROT_READ|PROT_WRITE|PROT_EXEC,
                MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, -1, 0);

  // get the length of codes on the scope of function f1 checking the difference
  // between next function pointer and itself.
  const size_t len_f1 = (void*)&f2 - (void*)&f1;  

  // copy memory which contains instructions of f1,f2,f3, main from allocated by
  // to the executable memory.
  memcpy(ret, ptr, len_f1);

  // execute f1, notify what is returned.
  int (*_f1)() = (int (*)())(ret);

  // let the pointer ahead to proceed to next function.
  ptr += len_f1;

  // main function is also mapped with the rest of function.
  const size_t len_f2 = (void*)&main - (void*)&f2;
  memcpy(ret, ptr, len_f2);

  // allocate a pointer type on a current stack.
  int (*_f2)(int a1, int a2) = (int (*)(int,int))(ret);

  char* tmpr = ptr;

  // print second function.

  // step pointer up again.
  ptr += len_f2;

  // at this time, we use strcpy
  // as there is no following function after main which is not obvious to know
  // when the binary of this function is split(in fact, there are ways to know the end of
  // program header asking libc).  
  strcpy(ret, (char*)&main);
  int (*_main)(int argc, char **argv, char **envp) = (int (*)(int ,char** ,char**))(ptr);

  // prevent the program from being endless loop setting fake environment variable.
  envp[0] = "DONE";
  // execute main function again but not exactly itself
  // as its instruction was copied and mapped to lowest virtual area.

musl code reading ( 0. 概略編 )



1.単一のshared libraryになる.

->glibcやbionicだとlibc.soの他に,,に分割され、必要に応じてdlopen()されるが、muslの場合,libc.soに纏めてくれる。   なお、静的linkも可能な様で、その場合は、単一にするメリットもないので、数個生成される.

2.docker向けcontainerのalpine linuxで採用.

->alpine imageのcontainer上でbuildして簡単にhack

3.source code量が少ない.


つまりsource code readingには良い教材という意味.


  1. sourceのclone

  2. docker run --privileged -v /source_full_path:/root -it alpine /bin/sh  (host側にsourceを残し,container上にbind mount)

  3. apk add gcc make (必要library install)

  4. cd ./root && make (muslをbuild)

  5. /root/lib/ 実行file名(e.g. a.out) (buildしたmuslのlibc.soでprogramをexec)

  6. (libraryまたはprogramをhost側で任意に変更し,4 or 5に戻る)

5の共有libraryを直接実行することにより,defaultのmuslではなく,buildしたmuslで引数で与えたprogramの実行が可能.また、組み込みcommand(e.g. /bin/ls)もmuslを利用しているので、実行fileはそれらでもよし. 共有libraryの直接実行は,通常実行と一部sequenceが異なるが,便利なdebug optionもある(glibcのものよりは少なめ).詳しくは、 /root/lib/ --helpを参照して下さい.



libcは、細かいネタの集合と見えがち(sys/..を除いたheaderだけでも117個)なので,入り口の使い方から入るのではなく、 src以下のdir(個(でもまだ多いのだけれど..),或いはsystem callを見出しにして、なんとなくまとめていくつもり.

とりあえずsrc/から書くべしテーマを推察してみる. majorどころだと,

  • ldso/(start up routine , dynamic linkのお話)
  • malloc/(別mallocとの比較/performance分析)
  • thread/(tlsとかthread_attrとかfutexとか)
  • signal/(あまり知られてない諸々細かいこと)
  • ipc/(kernel実装と絡めたお話)

その他だと、今の自分の知識だと、こんなの知ってる!?的な投稿になってしまいがちなのだが、できるだけ統合的に書くつもり. なお、投稿はあくまで自分の備忘録(勉強log)なので、読者の理解に最適化されているかはあまり考えてません.

xv6 code reading(7.channel編)



struct proc {
  uint sz;                     // Size of process memory (bytes)
  pde_t* pgdir;                // Page table
  char *kstack;                // Bottom of kernel stack for this process
  enum procstate state;        // Process state
  int pid;                     // Process ID
  struct proc *parent;         // Parent process
  struct trapframe *tf;        // Trap frame for current syscall
  struct context *context;     // swtch() here to run process
  void *chan;                  // If non-zero, sleeping on chan
  int killed;                  // If non-zero, have been killed
  struct file *ofile[NOFILE];  // Open files
  struct inode *cwd;           // Current directory
  char name[16];               // Process name (debugging)

使われ方としては、先ず, sleep,wakeupは至る所にあって

1. 普通にsyscallで呼ばれる(channelは&ticks)
2. 子processをwaitする(channelは自proc構造体へのpointer)
3. pipeを作る(channelはpipe構造体のallocateされたbyte数)
4. blockdeviceへのlog書き込み(channelはlog構造体へのpointer)
5. その他spinlock以外の方法でlockを取る全ての処理(channelは様々)


sleep(void *chan, struct spinlock *lk)
  struct proc *p = myproc();
  if(p == 0)

  if(lk == 0)
    panic("sleep without lk");

  if(lk != &ptable.lock){  //DOC: sleeplock0
    acquire(&ptable.lock);  //DOC: sleeplock1
  // Go to sleep.
  p->chan = chan;
  p->state = SLEEPING;


  // Tidy up.
  p->chan = 0;

  // Reacquire original lock.
  if(lk != &ptable.lock){  //DOC: sleeplock2

1. 現在processを取得する
2. lockがprocess tableではなかったら、次にprocessのstateを書き換える為に、process tableにもlockをかける
3. channelをprocessにsetする
4. channelをsleep状態に変更する
5. schedulerをpreemptionする


schedulerは常に process tableの中を個々のprocessのstateのみをcheckして回っており、基本的にRunnaleなprocessをRunningする為のものだ。その為、sleepされた時点でschedulerがそのprocessをrunningすることはなくなる。


static void
wakeup1(void *chan)
  struct proc *p;
  for(p = ptable.proc; p < &ptable.proc[NPROC]; p++)
    if(p->state == SLEEPING && p->chan == chan)
      p->state = RUNNABLE;


pipeは2つのfile descriptor(kernel内ではfile構造体)を引き受け、1つを書き込み専用、1つを読み込み専用としておく。

*f0)->type = FD_PIPE;
  (*f0)->readable = 1;
  (*f0)->writable = 0;
  (*f0)->pipe = p;
  (*f1)->type = FD_PIPE;
  (*f1)->readable = 0;
  (*f1)->writable = 1;
  (*f1)->pipe = p;


p->nwrite = 0;
p->nread = 0;



for(i = 0; i < n; i++){
    while(p->nwrite == p->nread + PIPESIZE){  //DOC: pipewrite-full
      if(p->readopen == 0 || myproc()->killed){
        return -1;
      sleep(&p->nwrite, &p->lock);  //DOC: pipewrite-sleep
    p->data[p->nwrite++ % PIPESIZE] = addr[i];

sleep(&p->nwrite, &p->lock)によって、byteのoffsetに対応したchannelに書き込みを行う。


piperead(struct pipe *p, char *addr, int n)
  int i;
  while(p->nread == p->nwrite && p->writeopen){  //DOC: pipe-empty
      return -1;
    sleep(&p->nread, &p->lock); //DOC: piperead-sleep
  for(i = 0; i < n; i++){  //DOC: piperead-copy
    if(p->nread == p->nwrite)
    addr[i] = p->data[p->nread++ % PIPESIZE];
  wakeup(&p->nwrite);  //DOC: piperead-wakeup
  return i;



大抵のsample code見ると次のshellの実装みたく、

if(fork1() == 0)
      runcmd(parsecmd(buf)); eventually call exec


1. 親processは親process自身のchannel上でsleepしてて
2. それを子供がexitしたら起こしにいく(親のstateをrunnableにする)
3. で、子供は子供自身のstateをunusedにせず(できず)、自分をゾンビとしておく
4. 一方、子から起こされた親process(running中)が再びwaitして、zombieの子供を殺し(stateをunusedにし)
5. 親processはwaitからreturnしますとさ


if(fork() > 0)
    sleep(5);  // Let child exit before parent.


// Pass abandoned children to init.
  for(p = ptable.proc; p < &ptable.proc[NPROC]; p++){
    if(p->parent == curproc){
      p->parent = initproc;
      if(p->state == ZOMBIE)



xv6 code reading (6.fork編)

forkは子processだと0,親processだと子pidが 帰るって仕様で、


1. process tableから空いているprocessを確保

for(p = ptable.proc; p < &ptable.proc[NPROC]; p++)
    if(p->state == UNUSED)
      goto found;

2. 取得したprocessに状態,process idを挿入

p->state = EMBRYO;
  p->pid = nextpid++;

3. kernel内のallocatorから1page(4096byte)確保し、processに確保したlowestのaddressを挿入(kernel stackとする)

if((p->kstack = kalloc()) == 0){
    p->state = UNUSED;
    return 0;

4. process内のtrap frame/context領域を確保,生成したprocess内のeip(program counter)にsystem callから帰る為の一連の処理関数のaddressを挿入

sp = p->kstack + KSTACKSIZE;

  // Leave room for trap frame.
  sp -= sizeof *p->tf;
  p->tf = (struct trapframe*)sp;

  // Set up new context to start executing at forkret,
  // which returns to trapret.
  sp -= 4;
  *(uint*)sp = (uint)trapret;
  sp -= sizeof *p->context;
  p->context = (struct context*)sp;
  memset(p->context, 0, sizeof *p->context);
  p->context->eip = (uint)forkret;

5. 現在(親)processのpageTable,size,attachしているfile,process名,trapframeを子processにそのままcopy.

// Copy process state from proc.
  if((np->pgdir = copyuvm(curproc->pgdir, curproc->sz)) == 0){
    np->kstack = 0;
    np->state = UNUSED;
    return -1;
  np->sz = curproc->sz;
  np->parent = curproc;
  *np->tf = *curproc->tf;

  for(i = 0; i < NOFILE; i++)
      np->ofile[i] = filedup(curproc->ofile[i]);
  np->cwd = idup(curproc->cwd);

  safestrcpy(np->name, curproc->name, sizeof(curproc->name));

6. その他、copy以外の特殊処理

  • 生成したprocessをschedulerが見つけられる様にprocess状態をrunnableにする。
  • trapframeのeaxレジスタの値(子processの返り値となる)を0に設定
  • 新しい子のpidをreturn
np->state = RUNNABLE;
np->tf->eax = 0;
pid = np->pid;
return pid;

一番の肝は、kernel内部でproc構造体をallocateしているのではなく、既に規定のアドレスにallocateされているprocess tableの空きentryへのaddressをpointして、そこからalignmentされた構造体に部分的に値を挿入していくということ。

親processの方は、一応値のcopyが終わった時点で、戻ってしまい、新しく挿入されたprocess table内のentryにschedulerがさしかかるとforkからcontext内のeipに設定された関数pointerを辿って、userlandに%eax=0としながらiretで戻るという仕組み。



よくpage tableはcopy on writeとかいうけど、それはuser空間の為のpageのお話で、実際にはforkで子processが返って来るためにはschedulerの対象になる必要がある。そうなると、scheduler内の切り替え対象となるcontextは、そして、それをallocateする為のkernel用page(1page)に関しては、fork時にallocateされていなければならないのだ。

kernel stackはstack領域を使うので、当然低アドレス伸長なのだけれど、trapframe(76byte)/pointer to return(4byte) function/context(20byte).


struct context {
  uint edi;
  uint esi;
  uint ebx;
  uint ebp;
  uint eip;

と被っている。それもそのはず、contextはkernel内でのschedulingの為に存在し、trapframeはsyscallの為に存在する。schedulerはsyscall(e.g. wait,sleep,exit)を含め,trapを契機に発動するのだけれど、systemcall自体は、scheduling自体は別の仕組みで動いていて両者が保存している値が一致しているという保証などないのだ。


xv6 code reading (5.paging)

How CPU works for memory access

When CPU is ordered to access a value on virtual address, it needs to address a specific page. Accessing same virtual address on two different processes must address mutually distinct physical pages.

Given a memory access instruction is supplied on a CPU, it follows these steps below to read or write data.


To accomplish this automatically via CPU, kernel needs to tell CPU the mapping when a process starts. Specifically on each step,

Step1 : Page Directory Preparation, CR3 register setup to Page Directory Step2 : Setup for Page Directory Entry Step3 : Setup for Page Table Step4 : Setup for Page Table Entry

are required.


On xv6, when a new process is created, control register3 (often abbrebiated as CR3) points to head address of page directory. The procedure is done like below.

// vm.c
  ltr(SEG_TSS << 3);
  lcr3(V2P(p->pgdir));  // switch to process's address space
// x86.h
static inline void
lcr3(uint val)
  asm volatile("movl %0,%%cr3" : : "r" (val));

Page Directory

A page directory consists of one or multiple page directory entries. Each page directory entry is 32bit in xv6 and consists of pointer to page table and some additional flags. Absolute address to page table entry is not required as page table entry is always allocated per page unit, which means you can omit last 12bit; 22bit is required. space which is left can be compensated by additional flags where its emptiness, user or kernel, rwx about pages which is managed by the pointed page table.

Page directory can be sparse because it needs to be searched by virtual address. High 10bit of virtual address should represent index of page directory entry. If elf program header specifies highest virtual address (e.g. higest bit is 0b1111111111), the last page directory entry on page directory will be used.

Page Table

You also need to prepare a page table required from a page directory entry. Each page table consists of page table entries and each of them manges one page.

xv6 code reading (4.file system編)


含ませる構成となっている。この時点で既に、superblockの構成単位,defaultfileへのinode付与,root directoryからそのdirectoryにある

全ブロック:1000個(block byte数:512byte)

blockbyte x block数により、全体で512kbyteがdisk容量とされている。
inode blockが26個で、disk上に置くinodeのbyte数が64byte,ゆえに26x512byte / 64 = 208個のinodeが置けるという計算.

(super block内における)blockのindexを指定して行われる。



ls .を実行
1. sys_openにより(.)directory のfile descriptorをuserlandで取得。
2. file descriptorを元にsys_fstatを実行し、file typeがfile/dir/devのどれかを確認
3. file typeがdirなので,dirのdirectory entryを取得。
4. directory entryに書かれたpath名とinode番号を取得。
5. inode番号にmatchしたfileのメタ情報を取得
5. それらをconsole devに書き込み。


1. sys_openでcurrent dirのinode情報にアクセス(metablock内に存在)
2. inode情報がpointerするaddressが指し示すdatablockの中のdirectory entry内を探索
(directory entryの先頭にcurdirの.があるので1block途中の16byteのみseek)
3. matchしたcurrent dirのメタ情報(type)を再度取得(この時cacheに存在するのでdiskへのアクセスなし)
4. current dirのdirectory entry内のblockをseek(最初のblockはcache済み)
5. block内のinode番号からメタ情報へアクセス
6. 4.5をdirectory entryの個数だけ繰り返す。

上から答えは、datablockに対しては最低1回(directory entryの長さが1block(512byte以上)>=32個以上のentry)、metadataに関してはcurrent dirの1回に加え,

ことがわかる。また、ls .を打った直後にls .を叩いた場合、cacheにblockが全て載っているのでblockへのアクセスは全くないはずだ。cache機能をもつbuffer blockはbio.cに書かれているがdefaultで30block分割り当てられている。

xv6のFSではdefaultで、1000個のblockの中で30個がlog blockとして割り当てられている。これは偶然cache用bufferの数と同じである。が、実際の所、必然であり、logによる書き出しは、bufferを活用している。logは、multiprocessからsystemcallが複数呼ばれた際、1度にblockをその都度書き出しせず、logheaderという所に貯めておき、最後のsystemcallが終了した段階で、logheaderの内容をbufferに移し替え、一斉にメモリに書き込む。そのようにすることで、複数processが同一blockの内容を書き換え用とした場合、各processがそのblockへのアクセスでlockされることを防ぐことができる。